Privacy Impact Assessments
Just as technology influences many aspects of our lives, it seems almost impossible to deliver health-care services without also relying on some type of technology or digital system. From basic computer programs and electronic communication to the use of large-scale clinical information systems such as Connect Care, we are increasingly taking advantage of digital platforms and innovations to improve patient care and safety. However, the greater use of technology in health care also comes with potential risks to patient privacy.
For this reason, the Alberta Health Information Act ("HIA") requires that custodians submit a privacy impact assessment ("PIA") to the Office of the Information & Privacy Commissioner ("OIPC") prior to implementing or using any new administrative practice or technology that might contain confidential patient health information.
What is a PIA?
A PIA is a document used to demonstrate to the OIPC that the use of a new process or system will have the necessary safeguards, policies, and procedures to ensure patient privacy is protected. A PIA will also contain information describing what "reasonable" safeguards are in place to mitigate any potential risk to patient privacy.
A PIA can vary in length and complexity depending on the nature of the initiative, and must be submitted to the OIPC by a custodian of health information, as defined in the HIA, on behalf of an organization, practice group, or an individual.
When would I need to complete and submit a PIA?
The OIPC1 provides examples as to when a PIA should be completed and submitted, applicable to both paper based or electronic information systems:
- You collect, use or disclose new health information that you did not collect, use or disclose before.
- You give access to health information to new parties.
- You implement a new service delivery or management technology that stores, transmits, or retrieves health information.
- You implement a new or different electronic health record system, or make changes to an existing one, such as adding portable devices with wireless network connections.
- You enter into an agreement with a new business partner or vendor who will have access to health information in your custody or control.
- You establish a new healthcare delivery model, such as a new Primary Care Network or a new Telehealth initiative.
- You create a new organization that will collect, use or disclose health information.
Other examples include:
- Using a secure messaging app to communicate confidential health information with your team.
- Using email to communicate with patients.
- Storing patient pictures or other diagnostic images on a device, computer or server.
- You want to submit health insurance claims digitally rather than by fax or email.
- You want to collect or use patient info to conduct a quality improvement study, including developing a patient registry.
- You want to implement a more efficient, digital intake form on your clinic's website.
Alberta Health Services has completed and submitted a PIA for the use of Connect Care. As a reminder, there is currently no PIA in place for using the University of Alberta Google suite of programs (e.g. Gmail, Google Drive, Google Sheets, etc.) to transmit or store identifiable patient information.
If you are an affiliate or a custodian and would like to implement a new administrative practice or information system, ensure you first discuss this with the custodian [for more information on determining whether you might be an affiliate or custodian, see the previous issue of Get HIP!, "Am I a Custodian or Affiliate? It's Confusing!"].
The need to submit a PIA may also be triggered upon a change to your existing administrative practices or information systems. For example, if you already have a PIA for your electronic medical or dental record, but would like to add a new feature that allows direct billing, or utilize a new smartphone app that allows you to schedule patients, you need to submit an amendment to the existing PIA. Likewise, if your clinic already has a PIA in place, but you would like to utilize tablets or a check in kiosk at your patient registration desk, a PIA amendment should be submitted to ensure the new technology and processes have the necessary privacy safeguards.
How do I complete a PIA?
The OIPC provides guidance on how to complete and submit at PIA. Resources are also found on the Alberta Medical Association website, as well as from the Alberta Dental Association.
Please contact your Health Information Privacy Advisor for assistance in determining whether you need to submit a PIA or a PIA amendment.